ASA Firewall – Packet Classification in Multiple Contexts Mode
By Yusuf Bhaiji
Security Contexts Overview
Firewall OS software version 7.0 introduced the capability of creating virtual partitions within a single physical firewall – also known as security contexts; which provides the function of a virtualized logical firewall within one physical firewall. Each virtualized context is an independent firewall and provides all the capabilities of a regular firewall such as address translations, routing protocols, protocol inspection, ACL, and so on. With the exception of dynamic routing protocols, VPN and Multicast; these features are not supported when using multiple contexts mode.
There are two ways to set up multiple security contexts:
- Multiple contexts in Routed mode (supports Shared Interface)
- Multiple contexts in Transparent mode (does not support Shared Interface)
Figure 1 illustrates the basic scenario when using multiple contexts.
Packet Classifier Function
As shown in Figure 1, each packet entering the firewall must determine the correct entry point depending on the destination of the packet. The entry point determines which context the packet will enter and subsequently depart through the firewall towards its final destination.
There are multiple criteria and conditions that need to be checked in order to make this decision. The function that takes this decision within the firewall is called the classifier .
The classifier function uses one of the following three criteria to determine the correct context for the packet:
- Unique interface
- Unique MAC address
- NAT configuration
The following sections will elaborate on each of these criteria.
Classifying Using Unique Interface
This method is the fundamental behavior and default policy used in scenarios where unique interfaces are assigned to each context and no shared interface or overlap occurs. This method is also the default policy when using transparent mode. Transparent mode requires unique interface in each context; it does not support shared interfaces. For transparent firewalls across multiple contexts, you must use unique interfaces.
Classifying Using Unique MAC Address
When using shared interfaces across multiple contexts, the classifier uses the unique MAC address policy to determine the context path. By default, a shared interface(s) does not have a unique MAC address; it uses the default physical burned-in address (BIA).
In order for the classifier to determine the correct context, each shared interface must have a unique MAC address. You can assign a unique MAC address for each interface or use the global command mac-address auto to achieve the same.
Figure 2 illustrates an example of packet classification using unique MAC address when using shared interface across the multiple contexts.
As shown in Figure 2, contexts #1 and #2 are sharing the Gig0/0 interface. In doing so, the MAC address on the shared interface needs to be unique. If a unique MAC address was not configured, the upstream device would have resolved to the built-in MAC address (during the ARP process), and the arriving packet would qualify to enter both contexts.
In order to take the correct path, the unique MAC address helps identify the entry point into Context #2.
Classifying Using NAT Configuration
I n scenarios using shared interfaces "without" unique MAC addresses, the classifier policy uses the NAT configuration matching the final destination address to determine the correct context path. This method is primarily used in places where unique MAC addresses are not used on the shared interface; therefore, the classifier cannot determine the correct entry path into the context. The workaround is to rely on the address translation rules within the contexts.
Figure 3 illustrates an example of packet classification using NAT configuration when using shared interface (without unique MAC address) across the multiple contexts.
As shown in Figure 3, contexts #1 and #2 are sharing Gig0/0 interface but they do not have unique MAC addresses. Both have the default physical BIA "ABCD.1234.ABCD"
In this situation, the ASA classifier will use the NAT translation rules that match the destination address to determine the entry point into Context #2.
As shown in Figure 3, the packet arriving for destination 220.127.116.11 has a corresponding NAT rule that translates to 192.168.2.1 which dictates the classifier to forward the packet through context #2.
Using Shared Interface on the Inside Network
As shown in previous examples, the most common application of using a shared interface across the contexts is on the outside network facing the upstream device. This is common when you have a single exit point out of your network and all contexts must use the same network on the outside segment.
However, in some scenarios, you can also have a shared interface on the inside network segment, but this brings some major restrictions. The classifier will rely on the address translation to determine the context based on the corresponding NAT rule for the destination address (outside NAT rule).
If you are not using address translation and/or NAT-control is disabled, then you must ensure you have unique MAC addresses for the inside shared interfaces across the contexts.